Bundestrojaner: FRST Log

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-08-2014 01
Ran by SYSTEM on MININT-4DIDKFV on 19-08-2014 11:37:15
Running from H:\
Platform: Windows 7 Home Premium (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-22] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-15] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] ()
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [DpAgent] => C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe [842816 2009-12-01] (DigitalPersona, Inc.)
HKLM-x32\...\Run: [Easybits Recovery] => C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-06-22] (EasyBits Software AS)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [323640 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [WirelessAssistant] => C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-03-23] (Hewlett-Packard Company)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5236664 2012-09-19] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-01-28] (Hewlett-Packard)
HKU\juli\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)
HKU\juli\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation)
HKU\juli\...\Run: [RegistryBooster] => "C:\Program Files (x86)\Uniblue\RegistryBooster\launcher.exe" delay 20000 
HKU\juli\...\Run: [TomTomHOME.exe] => C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [248208 2013-03-22] (TomTom)
HKU\juli\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\juli\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\juli\...\Policies\system: [DisableChangePassword] 0
HKU\juli\...\Policies\system: [DisableLockWorkstation] 0
HKU\juli\...\Policies\system: [WallpaperStyle] 2
HKU\Marco\...\Run: [HPADVISOR] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1668664 2009-07-15] (Hewlett-Packard)
HKU\Marco\...\Run: [TomTomHOME.exe] => C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [248208 2013-03-22] (TomTom)
HKU\Marco\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\Marco\...\Policies\system: [WallpaperStyle] 2
HKU\Marco\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x00000000
Lsa: [Notification Packages] scecli DPPWDFLT
Startup: C:\Users\juli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\juli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\0ACA3C.cpp (Корпорация Майкрософт)
Startup: C:\Users\juli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WKCALREM.LNK
ShortcutTarget: WKCALREM.LNK -> C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE (No File)
Startup: C:\Users\Marco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\0ACA3C.cpp (Корпорация Майкрософт)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-22] (IDT, Inc.)
S2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe [2143552 2012-02-09] (TuneUp Software)
S2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1157056 2012-09-19] (Western Digital )
S2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248248 2012-09-19] (Western Digital)
S2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1177536 2012-09-19] (Western Digital )
S2 Winmgmt; C:\ProgramData\C3ACA0.dot [332548 2014-08-11] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S5 SDBus; C:\Windows\System32\Drivers\SDBus.sys [109056 2009-07-14] (Microsoft Corporation)
S2 {55662437-DA8C-40c0-AADA-2C816A897A49}; c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2009-07-23] (CyberLink Corp.)
S4 eabfiltr; 
S3 TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesDriver64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-19 12:09 - 2014-08-19 12:33 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-08-19 11:37 - 2014-08-19 11:37 - 00000000 ____D () C:\FRST
2014-08-15 12:55 - 2014-08-15 12:57 - 00001166 _____ () C:\ProgramData\RUNDLL32.EXE-680-F.txt
2014-08-11 16:57 - 2014-08-11 17:00 - 00009750 _____ () C:\ProgramData\RUNDLL32.EXE-7068-F.txt
2014-08-11 16:56 - 2014-08-11 16:56 - 00332548 ____T (Microsoft Corporation) C:\ProgramData\C3ACA0.dot
2014-08-11 16:53 - 2014-08-11 16:53 - 00134144 _____ (Корпорация Майкрософт) C:\ProgramData\0ACA3C.cpp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-19 12:33 - 2014-08-19 12:09 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-08-19 11:37 - 2014-08-19 11:37 - 00000000 ____D () C:\FRST
2014-08-19 10:14 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-19 10:14 - 2009-07-14 05:51 - 36213290 _____ () C:\Windows\setupact.log
2014-08-19 10:07 - 2010-03-07 10:48 - 01541249 _____ () C:\Windows\WindowsUpdate.log
2014-08-19 10:00 - 2013-07-14 06:05 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-19 09:53 - 2009-07-14 05:45 - 00027568 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-19 09:53 - 2009-07-14 05:45 - 00027568 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-15 12:59 - 2010-01-06 14:21 - 00000000 ____D () C:\Users\juli\Tracing
2014-08-15 12:57 - 2014-08-15 12:55 - 00001166 _____ () C:\ProgramData\RUNDLL32.EXE-680-F.txt
2014-08-15 12:57 - 2010-01-05 02:05 - 00000000 ____D () C:\Users\juli\AppData\Roaming\Skype
2014-08-11 17:00 - 2014-08-11 16:57 - 00009750 _____ () C:\ProgramData\RUNDLL32.EXE-7068-F.txt
2014-08-11 16:56 - 2014-08-11 16:56 - 00332548 ____T (Microsoft Corporation) C:\ProgramData\C3ACA0.dot
2014-08-11 16:53 - 2014-08-11 16:53 - 00134144 _____ (Корпорация Майкрософт) C:\ProgramData\0ACA3C.cpp
2014-08-08 07:10 - 2010-02-17 14:12 - 00003922 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{3052F858-F1EF-4C6A-8729-6F0A9FDF7353}
2014-08-05 08:20 - 2010-03-05 08:58 - 00270496 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-07-28 20:06 - 2013-03-13 21:10 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-28 20:06 - 2013-03-13 21:10 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-07-20 12:15 - 2009-07-14 18:58 - 00654400 _____ () C:\Windows\System32\perfh007.dat
2014-07-20 12:15 - 2009-07-14 18:58 - 00130240 _____ () C:\Windows\System32\perfc007.dat
2014-07-20 12:15 - 2009-07-14 06:13 - 01498742 _____ () C:\Windows\System32\PerfStringBackup.INI

Some content of TEMP:
====================
C:\Users\juli\AppData\Local\Temp\1404.dll
C:\Users\juli\AppData\Local\Temp\audacity-win-unicode-1.3.12.exe
C:\Users\juli\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\juli\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\juli\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\juli\AppData\Local\Temp\nsaBA71.tmp.ConduitEngineEmbbed.exe
C:\Users\juli\AppData\Local\Temp\rcskuuhk.dll
C:\Users\juli\AppData\Local\Temp\Resource.exe
C:\Users\juli\AppData\Local\Temp\SetupDataMngr_iMesh.exe
C:\Users\juli\AppData\Local\Temp\SkypeSetup.exe
C:\Users\juli\AppData\Local\Temp\softonic-de3.exe
C:\Users\juli\AppData\Local\Temp\Softonic_Deutsch.exe
C:\Users\juli\AppData\Local\Temp\sp48071.exe
C:\Users\juli\AppData\Local\Temp\sp54373.exe
C:\Users\juli\AppData\Local\Temp\sp58915.exe
C:\Users\juli\AppData\Local\Temp\sp64126.exe
C:\Users\juli\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Marco\AppData\Local\Temp\nsvF6B0.tmp.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-06-18 06:01:28
Restore point made on: 2014-06-28 22:37:24
Restore point made on: 2014-07-07 06:41:15
Restore point made on: 2014-07-10 09:01:21
Restore point made on: 2014-07-15 14:29:26
Restore point made on: 2014-07-22 14:56:37
Restore point made on: 2014-07-27 12:59:15
Restore point made on: 2014-07-27 13:41:43
Restore point made on: 2014-08-01 06:15:48
Restore point made on: 2014-08-08 07:11:37

==================== Memory info =========================== 

Percentage of memory in use: 15%
Total physical RAM: 4092.2 MB
Available physical RAM: 3448.68 MB
Total Pagefile: 4090.35 MB
Available Pagefile: 3435.22 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:283.23 GB) (Free:186.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:14.56 GB) (Free:2.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
Drive g: (KRD10) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS
Drive h: (STICK) (Removable) (Total:3.8 GB) (Free:3.8 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 9D57FE31)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=283.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14.6 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (Size: 3.8 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2014-07-18 08:22

==================== End Of Log ============================